[Snort-users] Signature question

Matt Olney molney at ...1935...
Thu Feb 4 10:29:29 EST 2010


Joel is correct.  For example, for the following (redacted) packet:

04/02-10:09:43.244152 10.4.12.226:53584 -> 10.4.10.7:5101
TCP TTL:128 TOS:0x0 ID:1232 IpLen:20 DgmLen:145 DF
***AP*** Seq: 0xA9052295  Ack: 0x3C96BE21  Win: 0xFB  TcpLen: 20
59 4D 53 47 00 0F 00 00 00 55 00 4B 00 00 00 16  YMSG.....U.K....
DC 52 A5 15 34 39 C0 80 54 59 50 49 4E 47 C0 80  .R..49..TYPING..


The following (sloppy, most likely wrong in some way) rules are all equivalent:

alert tcp any any -> any any (msg:"Content based distance/within";
content:"YMSG"; content:"TYPING"; distance: 20; within: 6; classtype:
attempted-admin; sid: 1;)
alert tcp any any -> any any (msg:"Content based offset/depth";
content:"YMSG"; content:"TYPING"; offset: 24; depth: 6; classtype:
attempted-admin; sid: 2;)
alert tcp any any -> any any (msg:"pcre based distance/within";
content:"YMSG"; pcre:"/^.{20}TYPING/R"; classtype: attempted-admin;
sid: 3;)
alert tcp any any -> any any (msg:"pcre based offset/depth";
content:"YMSG"; pcre:"/^.{24}TYPING/"; classtype: attempted-admin;
sid: 4;)

[molney at ...14754... ~]$ stest yahoo_in.pcap -l

Snort Test Suite v.0.3.0

Alerts:
1:1:0           Content based distance/within
          Alerts: 2
1:2:0           Content based offset/depth
            Alerts: 2
1:3:0           pcre based distance/within
            Alerts: 2
1:4:0           pcre based offset/depth
              Alerts: 2

Hope that makes sense,

Matt

On Thu, Feb 4, 2010 at 10:01 AM, Joel Esler <jesler at ...1935...> wrote:
> No, you can use the "R" pcre modifier which makes the pcre 'relative' to the
> last content match.  You can't use depth, offset, distance, or within with
> pcre.
> J
>
> On Thu, Feb 4, 2010 at 8:01 AM, spiffy pickle <spiffypickle at ...11827...>
> wrote:
>>
>> Hello everyone,
>>   I have a question using pcre with depth, offset, distance, and within
>> qualifiers. I can't seem to find any documentation pointing one way or the
>> other. Can you use those qualifiers with pcre? Does the pcre engine care
>> about the where the content match pointer is pointing?
>>
>> Much thanks,
>>    SP
>>
>>
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Joel Esler
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list